What Rspamd Does
Rspamd is a modern, high-performance spam filter that runs as a milter alongside Postfix. For every message Postfix processes — inbound or outbound — Rspamd performs a series of checks and assigns a numeric spam score. Based on that score, it instructs Postfix to pass, tag, or reject the message.
Checks Rspamd performs include:
- SPF, DKIM, and DMARC validation
- DNS blacklist lookups (DNSBL)
- URL and sender reputation
- Statistical (Bayes) classification based on trained ham/spam corpora
- Header analysis (malformed headers, suspicious patterns)
- Fuzzy hashing against known spam signatures
How Rspamd Integrates with Postfix
Rspamd connects to Postfix as a milter (mail filter) via a local Unix socket or TCP connection. Postfix is configured in main.cf to pass each message to Rspamd before accepting it into the queue:
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_protocol = 6
milter_default_action = accept
milter_default_action = accept ensures that if Rspamd is unavailable, Postfix still accepts mail rather than bouncing everything.
Spam Score and Actions
Rspamd assigns each message a score. The default action thresholds are:
| Score | Action |
|---|---|
| < 6 | Pass — deliver normally |
| 6–15 | Add header — message is delivered with X-Spam: Yes and X-Spam-Score headers |
| > 15 | Reject — Postfix returns a 550 error; message is not accepted |
Dovecot (or a Sieve filter) can use the X-Spam headers to automatically move tagged messages to the Junk folder.
[!NOTE] These thresholds are the Rspamd defaults. They can be tuned for your environment — see the section on adjusting thresholds below.
Rspamd Web UI
Rspamd includes a web interface for monitoring and configuration. It binds to localhost only:
http://127.0.0.1:11334
Accessing it from a remote machine requires an SSH tunnel:
ssh -L 11334:127.0.0.1:11334 user@YOUR_SERVER_IP
Then open http://127.0.0.1:11334 in your browser. Log in with the Rspamd controller password set during installation (found in /etc/rspamd/local.d/worker-controller.inc).
The web UI provides:
- Live message throughput and score distribution graphs
- Per-symbol breakdown of recent message scores
- Configuration overview
- Bayes training interface
Adjusting Spam Thresholds
To change the default score thresholds, create or edit /etc/rspamd/local.d/actions.conf:
actions {
reject = 20;
add_header = 8;
greylist = 4;
}
After editing:
systemctl restart rspamd
[!TIP] If legitimate mail is being rejected, raise the
rejectthreshold rather than lowering scoring across the board. Then investigate which symbols are inflating the score using the web UI's per-message breakdown.
Whitelisting Senders
To whitelist a specific sender or domain so Rspamd never scores their mail as spam, add entries to /etc/rspamd/local.d/whitelist.conf:
# Whitelist a specific address
whitelist_from = "newsletter@trustedsender.com";
# Whitelist an entire domain
whitelist_from_domain = "partnercompany.com";
Or use the Whitelist section in the web UI under Settings.
Whitelisted messages still pass through Rspamd but receive a large negative score adjustment, effectively ensuring they are never tagged or rejected.
Blacklisting Senders
To reject mail from a specific sender unconditionally:
# /etc/rspamd/local.d/blacklist.conf
blacklist_from = "spammer@baddomain.com";
blacklist_from_domain = "baddomain.com";
Blacklisted senders receive a score high enough to trigger rejection regardless of other factors.
Training the Bayes Filter
Rspamd's Bayes filter improves accuracy over time when trained on known ham (legitimate mail) and spam. The more it is trained, the more accurate it becomes.
Training via command line
To train a message as spam:
rspamc learn_spam /path/to/message.eml
To train a message as ham:
rspamc learn_ham /path/to/message.eml
Messages should be in raw RFC 2822 format (.eml files). You can pull them from the Maildir store at /var/mail/vdomains/{domain}/{user}/.
Training via the web UI
The Rspamd web UI includes a Learn tab where you can paste raw message content and classify it as ham or spam.
Bayes corpus location
Rspamd stores Bayes data in Redis by default (if Redis is installed) or on-disk. Check /etc/rspamd/local.d/classifier-bayes.conf for the configured backend.
[!TIP] Bayes training requires a minimum corpus to become effective — typically at least 200 spam and 200 ham messages. Below this threshold, Bayes scores are ignored. The web UI shows the current corpus size.
Checking Rspamd Status
systemctl status rspamd
# View recent Rspamd log output
journalctl -u rspamd -n 100
# Show current Rspamd uptime and queue stats
rspamc stat